Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of September 2017

New Detection Technique - Apache Struts (CVE-2017-9805)

A new vulnerability, CVE-2017-9805, has been discovered in Apache Struts REST plugin. It manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.

We've added IDS signatures and the following correlation rule to detect this activity:

KHRAT is a Remote Access Trojan used by threat actors to target Cambodian citizens. KHRAT registers itself to the C2 server by sending the username, system language, and local IP address of the compromised system. Threat actors can use KHRAT for keylogging, screenshot capabilities, remote shell access, and other common RAT functionality.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Malware RAT, KHRAT

New Detection Technique - Ransomware

In the past week, we've seen an uptick in ransomware activity in the wild. We've added IDS signatures and the following correlation rules to detect new ransomware families:

System Compromise, Ransomware infection, ApolloLocker

System Compromise, Ransomware infection, Ultimo

System Compromise, Ransomware infection, Zaepk

We also added IDS signatures and updated correlation rules to better detect the following ransomware families:

System Compromise, Ransomware infection, Cerber

System Compromise, Ransomware infection, Locky

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

System Compromise, Malware RAT, NetSupport RAT

System Compromise, Trojan infection, Pye2Exe/LaZange

System Compromise, Trojan infection, Queequeg

Updated Detection Technique - Exploit Kits

Exploit kits are used in "drive-by downloads." Undetectable by normal users, these kits are embedded in websites by attackers. When a user browses to a website hosting an exploit kit, the kit attempts all known attack methods to compromise the user and install malware on the user's machine. This approach is a common attack vector and a major source of infections for end users. Cybercriminals constantly change the patterns they use within their code to evade detection.

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

System Compromise, C&C Communication, Known malicious SSL certificate

System Compromise, C&C Communication, Panda Banker SSL activity

System Compromise, C&C Communication, URLzone SSL Certificate

Updated Detection Technique - Remote Access Tools

The typical attack pattern involves first an attack (exploited vulnerability) and then installation of malware. Often this last step includes a Remote Administration Toolkit (RAT) used to gain control of the compromised machine.

We added IDS signatures and correlation rules to detect the following RAT activity:

System Compromise, Malware RAT, KONNI

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity: